Re: an error occurred while importing the site definition

On 9/22/2010 1:40 AM, Peter Schwandner wrote:
> Can someone help me to import a cisco.pcf file.
>
> I allways get the message: an error occurred while importing the site
> definition
>
> I have tryed 3 or 4 files with the same group but other users.
> What's the problem in the file:
>
Give this a try. The client was trying to hex-decode the plain text.
http://www.shrew.net/download/vpn/vpn-client-2.1.7-hexpcf-1.exe
-Matthew

Re: JUNOS/SRX with Shrew VPN

On 9/22/2010 2:50 PM, Lars Vik wrote:
> Hi,
>
> Anyone managed to get Shrew VPN to work with JUNOS on the SRX-series?
> (SRX240H-POE).
>
Hi Lars,
I don't have a SRX series gateway device in my lab. At one point, the
folks at Juniper were going to ship me one but they never did. What kind
of issues are you having?
-Matthew

Re: Session terminated by gateway

On 9/22/2010 7:10 PM, Leblanc, Guy (IT) wrote:
> I am not a VPN expert so I read forums and apply instructions. I found
> that the only way for me to get rid of the "session terminated by
> gateway" issue was to disable my Windows 7 (64 bits) firewall in
> addition to setting Phase-2 PFS=2 as recommended. (Windows firewall
> issued no warning that it had blocked anything Shrew, though, even if
> the notification option was checked). Once the Windows firewall has been
> disabled on my domain connection with my head office, the tunnel remains
> stable over my Linksys WRT-610N WIFI broadband home router/gateway (with
> its own firewall active, btw).
>
> I have now installed Shrew version 2.1.7 beta but I still have to
> disable the Windows firewall to eliminate the error. Is there a
> workaround to this? Much has been written regarding interference from
> some specific router firewalls but after reading many forums, I seem to
> be the only one having to disable its Windows firewall. Anybody has an idea?
>
This is an interesting issue. I believe the windows firewall has been
implemented as a windows filtering platform driver which is higher in
the NDIS stack than the Shrew Soft LWF driver. In other words, this
shouldn't cause any packets sent during IKE negotiations to be blocked
by the filter. My guess is that the client didn't negotiate an initial
IPsec SA after the connection had been established. A Cisco gateway will
terminate the connection unless this occurs. Disabling the windows FW
may have allowed packets to traverse the tunnel ( DNS or something
similar ) which allowed the IPsec SA to be established and the tunnel to
remain active.
I would suggest you try to install the latest 2.1.7 RC and see if that
makes any difference. Michael Kenny submitted a patch ( which has been
committed ) that fixes a bug related to the initial SA negotiation which
may resolve your issue. If that doesn't help, try starting a ping to an
IP address on the distant side of the tunnel, and then try the
connection. If the ping starts to respond after you connect and the
connection remains stable, please let me know. There may be something
else we can do to improve the situation.
-Matthew

Re: Nortel

On 9/23/2010 7:16 AM, Andersson, Henrik (Integration and Application
Centers) wrote:
> Has anyone set up the Shrew client for use instead of a Nortel VPN client?
>
> *Henrik Andersson* | System developer
> Application Management | Logica Sweden*
> *Rådhusgatan 15-17, 831 41 Östersund | Sweden
> T: +46 63 15 22 84
> hen.andersson@...
<mailto:hen.andersson@...> |
> www.logica.com <http://www.logica.com/>
>
>
I don't have a Nortel device in my lab for testing. If you do try to use
the client and run into issues, you can post your results here and we
will do what we can to help.
-Matthew

Re: Ipsec to Mikrotik RouterOS

On 9/26/2010 1:58 PM, Greg-Texmesh wrote:
> Has anyone setup Shrew 2.1.6 on Windows Xp or 7 and connect to a
> Mikrotik router running RouterOS4.2 or higher?
>
> I need help!!!
>
It would appear that the Microtik router uses racoon as its IKE daemon,
so the client should work well with that platform. I don't have such a
device in my lab for testing so I can't offer a configuration howto for
that particular platform. However, if you read the VPN Client docs which
are available on our website, you should be able to get it up and
running. It has detailed information on how to configure racoon to work
with the Shrew Soft VPN Client ...
http://www.shrew.net/static/help-2.1.x/vpnhelp.htm?ConfiguringIPsecTools.html
However, it doesn't look like the Microtik supports the modecfg section
of racoon which will means the client won't be able to support the ike
config push/pull methods. That means you will need to either disable the
virtual adapter or use static virtual adapter addresses for each client
and configure any private DNS/WINS settings manually. Disappointing.
-Matthew

Re: VPN connection with Alcatel-Lucent Brick

On 9/28/2010 8:45 AM, Sławomir Krok wrote:
> Hi
>
> I was able to solve this on my own. Problem was actually caused by
> Alcatel-Lucent IP Sec client which was on the same PC. Even when it was
> off, there were few services working and blocking Shrew. This was a bit
> of suprise because in past I was using Alcatel client with e.g. Cisco
> and Junier clients on the same PC and all of them worked fine.
> So, after uninstalling Alcatel client I could ping remote hosts, and
> remote doktop works fine too.
>
Thanks for the followup post. Different VPN Clients capture and process
IKE and IPsec traffic differently. We have invested a lot of time into
making sure our VPN client doesn't interfere with other clients that may
be installed ( only install divert rules for specific peer IP's and only
process traffic which match our specific IPsec SA identifiers ).
However, other VPN clients aren't nearly as accommodating and will try
to process traffic that it shouldn't. This can cause the Shrew Soft VPN
client to work incorrectly. Its all very implementation specific.
-Matthew
_______________________________________________
vpn-help mailing list
vpn-help <at> lists.shrew.net
http://lists.shrew.net/mailman/listinfo/vpn-help

Re: DNS server preference

On 9/28/2010 3:40 PM, lst_hoe02@... wrote:
> Hello
>
> we like to set for all VPN users a "prefered" internal DNS-server to
> resolve internal addresses and external ones. Unfortunately it seems
> that after bringing up the VPN still the DNS server assigned to the
> Windows LAN Interface is used. This is especially annoying with provider
> which lie about non-existing domains to redirect to some search page.
>
> Details:
>
> Client OS Windows XP-SP3 with ShrewSoft VPN Client 2.1.6 and a virtual
> interface with manual assigned IP address and DNS server. No Split DNS
> or search suffix set. Name resolution by hand works fine across the
> tunnel but as said the DNS server assigned by DHCP to the Windows LAN
> Interface is used first.
>
> Any chance to get the VPN DNS Server as prefered??
>
Hi Andreas,
How do you have DNS configured on the client OS? Is "Append primary and
connection specific DNS suffixes" or "Append these DNS suffixes ( in
order )" selected under the advanced TCP/IP settings DNS tab?
-Matthew